diff --git a/.gitignore b/.gitignore
index 16eca3c..ab5f561 100644
--- a/.gitignore
+++ b/.gitignore
@@ -164,3 +164,4 @@
 /cockpit-206.tar.xz
 /cockpit-207.tar.xz
 /cockpit-208.tar.xz
+/cockpit-209.tar.xz
diff --git a/cockpit.spec b/cockpit.spec
index 4a24353..b1234d8 100644
--- a/cockpit.spec
+++ b/cockpit.spec
@@ -1,5 +1,5 @@
 # This spec file has been automatically updated
-Version:        208
+Version:        209
 Release: 1%{?dist}
 #
 # This file is maintained at the following location:
@@ -231,7 +231,7 @@ done
 for lib in systemd tmpfiles.d firewalld; do
     rm -r %{buildroot}/%{_prefix}/%{__lib}/$lib
 done
-for libexec in cockpit-askpass cockpit-session cockpit-ws cockpit-tls cockpit-desktop; do
+for libexec in cockpit-askpass cockpit-session cockpit-ws cockpit-tls cockpit-wsinstance-factory cockpit-desktop; do
     rm %{buildroot}/%{_libexecdir}/$libexec
 done
 rm -r %{buildroot}/%{_libdir}/security %{buildroot}/%{_sysconfdir}/pam.d %{buildroot}/%{_sysconfdir}/motd.d %{buildroot}/%{_sysconfdir}/issue.d
@@ -395,13 +395,14 @@ Conflicts: firewalld < 0.6.0-1
 Recommends: sscg >= 2.3
 Recommends: system-logos
 Requires: systemd >= 235
+Suggests: sssd-dbus
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 %if %{defined wip}
 # HACK: don't apply selinux %post dependencies to CI builds, it would require refreshing images
 %else
-%if 0%{?rhel} || 0%{?fedora}
+%if 0%{?rhel}
 # for SELinux policy adjustment in %post below
 Requires(post): /usr/sbin/semanage
 Requires(post): policycoreutils
@@ -411,12 +412,16 @@ Requires(post): policycoreutils
 %description ws
 The Cockpit Web Service listens on the network, and authenticates users.
 
+If sssd-dbus is installed, you can enable client certificate/smart card
+authentication via sssd/FreeIPA.
+
 %files ws -f cockpit.lang
 %doc %{_mandir}/man1/cockpit-desktop.1.gz
 %doc %{_mandir}/man5/cockpit.conf.5.gz
 %doc %{_mandir}/man8/cockpit-ws.8.gz
 %doc %{_mandir}/man8/cockpit-tls.8.gz
 %doc %{_mandir}/man8/remotectl.8.gz
+%doc %{_mandir}/man8/pam_cockpit_cert.8.gz
 %doc %{_mandir}/man8/pam_ssh_add.8.gz
 %config(noreplace) %{_sysconfdir}/cockpit/ws-certs.d
 %config(noreplace) %{_sysconfdir}/pam.d/cockpit
@@ -439,6 +444,7 @@ The Cockpit Web Service listens on the network, and authenticates users.
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-tempfiles.conf
 %{_sbindir}/remotectl
 %{_libdir}/security/pam_ssh_add.so
+%{_libdir}/security/pam_cockpit_cert.so
 %{_libexecdir}/cockpit-ws
 %{_libexecdir}/cockpit-wsinstance-factory
 %{_libexecdir}/cockpit-tls
@@ -463,7 +469,7 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
 # HACK: SELinux policy adjustment for cockpit-tls; see https://github.com/fedora-selinux/selinux-policy-contrib/pull/114
 set -ex
 echo "Applying SELinux policy change for cockpit-tls.."
-semanage fcontext -a /usr/libexec/cockpit-tls -t cockpit_ws_exec_t
+semanage fcontext -a /usr/libexec/cockpit-tls -t cockpit_ws_exec_t || true
 restorecon /usr/libexec/cockpit-tls
 tmp=$(mktemp -d)
 cat <<EOF > $tmp/local.te
@@ -471,23 +477,27 @@ module local 1.0;
 require {
     type cockpit_ws_t;
     type cockpit_ws_exec_t;
+    type cockpit_session_t;
+    type cockpit_var_run_t;
     class unix_stream_socket { create_stream_socket_perms connectto };
-    class file { execute_no_trans};
+    class file { open read map getattr execute_no_trans};
+    class dir { getattr search open read };
 }
 
 allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
 allow cockpit_ws_t cockpit_ws_exec_t:file { execute_no_trans };
+
+# https://github.com/fedora-selinux/selinux-policy-contrib/pull/130
+allow cockpit_session_t cockpit_var_run_t:file { open read map getattr };
 EOF
 checkmodule -M -m -o $tmp/local.mod $tmp/local.te
 semodule_package -o $tmp/local.pp -m $tmp/local.mod
 semodule -i $tmp/local.pp
 rm -rf "$tmp"
-%endif
 
-%if 0%{?rhel} || 0%{?fedora}
 # HACK: SELinux policy adjustment for cockpit-tls; see https://github.com/fedora-selinux/selinux-policy-contrib/pull/161
 echo "Applying SELinux policy change for cockpit-wsinstance-factory..."
-semanage fcontext -a /usr/libexec/cockpit-wsinstance-factory -t cockpit_ws_exec_t
+semanage fcontext -a /usr/libexec/cockpit-wsinstance-factory -t cockpit_ws_exec_t || true
 restorecon /usr/libexec/cockpit-wsinstance-factory
 %endif
 
@@ -699,6 +709,15 @@ via PackageKit.
 
 # The changelog is automatically generated and merged
 %changelog
+* Fri Dec 13 2019 Marius Vollmer <mvollmer@redhat.com> - 209-1
+
+- New overview design
+- Session timeouts
+- Banners on login screen
+- Client certificate authentication
+- Support for Fedora CoreOS
+- Dropped support for pam_rhost
+
 * Wed Nov 27 2019 Martin Pitt <mpitt@redhat.com> - 208-1
 
 - Storage: Drop “default mount point” concept
diff --git a/sources b/sources
index 5be9f6f..337938b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (cockpit-208.tar.xz) = 9f203439118b44ccacc933858c01496001787df076990942086ae8cf710a8169c69715fde5589a0467426d1960d2e330cc4156607b3a1972185393a583830b6a
+SHA512 (cockpit-209.tar.xz) = e81153d926c13f55ba13accf2b448eaffc3e7a3faee06f07b890eb9525d6063ab3727ab2622e1ad64a7fd16f03e48973a67bd8cda4be5541379930d6799cb46a